1166. This week, we look the grammar of the Academy Awards and how to avoid an "illogical plot twist" in your sentences. Then, we look at common time-related redundancies like "period of time," the proper way to use "a.m." and "p.m.," and why the abbreviation UTC doesn't actually match its name. 

The Academy Awards segment was written by Jim Norrena.

🔗 Join the Grammar Girl Patreon.

🔗 Share your familect recording in Speakpipe or by leaving a voicemail at 833-214-GIRL (833-214-4475)

🔗 Watch my LinkedIn Learning writing courses.

🔗 Subscribe to the newsletter.

🔗 Take our advertising survey. 

🔗 Get the edited transcript.

🔗 Get Grammar Girl books. 

| HOST: Mignon Fogarty

| Grammar Girl is part of the Quick and Dirty Tips podcast network.

• Audio Engineer: Castria Communications
• Director of Podcast: Holly Hutchings
• Advertising Operations Specialist: Morgan Christianson
• Marketing and Video: Nat Hoopes, Rebekah Sebastian
• Podcast Associate: Maram Elnagheeb

| Theme music by Catherine Rannus.

| Grammar Girl Social Media: YouTube. TikTok. Facebook. Threads. Instagram. LinkedIn. Mastodon. Bluesky.

Download audio: https://dts.podtrac.com/redirect.mp3/media.blubrry.com/grammargirl/cdn.simplecast.com/media/audio/transcoded/dd74e7bd-f654-43a6-b249-3f071c897900/e7b2fc84-d82d-4b4d-980c-6414facd80c3/episodes/audio/group/38d68979-253a-44a6-8cea-829ac03e3c9a/group-item/6ea57fe4-2440-4344-82f5-277f4b226911/128_default_tc.mp3?aid=rss_feed&feed=XcH2p3Ah

If you're a software engineer right now, you likely feel like your world is changing overnight. We are writing half or less the amount of code that we wrote even a year ago, which represents a seismic, groundbreaking shift in our industry. However, the rapid introduction of new tools can slide quickly from exciting to purely chaotic, leaving you feeling like you are falling behind. In today's episode, I explore how this changes the nature of our day-to-day work, and why the key to surviving this transition is shifting your mindset from a traditional "Software Engineer" to an "Agent Manager".

• The Illusion of Velocity vs. Actual Chaos: While the big-picture promise of AI is that the software development pipeline will move exponentially faster, the reality on the ground often feels like unadulterated chaos. Trying to adopt every new tool while spinning up multiple agents to work on parallel tickets introduces a massive new cognitive burden.
• The Context-Switching Trap: Understand why parallelizing agent workflows fundamentally changes your context-switching overhead. You are no longer just reloading context to build something yourself; you are reloading it to manage, review, and validate a building agent, which rapidly drains your cognitive ability and leads to burnout.
• The "Agent Manager" Mindset: Treating AI as just a "smart autocomplete" while you try to do the same old job will not work. You need to start viewing your role more like assembly line or process management, focusing on facilitating the system rather than typing every line of syntax.
• Adopt Old-School Quality Control Tactics: Discover how traditional management methods are becoming essential for individual contributors. Just like a factory manager doesn't inspect every single item off the line, you must develop methods for spot checks, anomaly detection, and standardizing outputs to evaluate the quality and quantity of your agents' work.
• Shift Your Work Upfront: Recognize that your core effort must move to the specification and planning phases. Your job is increasingly about setting the context, defining the prompt, and establishing strict guardrails before the agent begins its work.
• Redefining Your Work in Progress (WIP): Proven principles like limiting WIP and focusing on finishing rather than starting are more important than ever to reduce cognitive burden. However, you must adapt these principles to fit a workflow where you are managing processes rather than manually coding.
• Episode Homework: Take a step back and ask yourself: "What is my true work in progress? Am I actually manually doing these tickets, or am I managing the processes that produce quality ticket work?".

🙏 Today's Episode is Brought To you by: SerpApi

No matter what you're building, SerpApi is the web search API for your needs. If you're building an application that needs real-time search data—whether that's an AI agent, an SEO tool, or a price tracker—SerpApi handles it for you. ● Make an API call and get back clean JSON. ● They handle the proxies, CAPTCHAs, parsing, and all the scraping so you don't have to. ● They support dozens of search engines and platforms, and are trusted by companies like NVIDIA, Adobe, and Shopify. ● If you're building with AI, they even have an official MCP to make getting up and running a simple task. Get started with a free tier to build and test your application before you commit. Go to serpapi.com.

📮 Ask a Question

If you enjoyed this episode and would like me to discuss a question that you have on the show, drop it over at: developertea.com.

📮 Join the Discord

If you want to be a part of a supportive community of engineers (non-engineers welcome!) working to improve their lives and careers, join us on the Developer Tea Discord community today!

🗞️ Subscribe to The Tea Break

We are developing a brand new newsletter called The Tea Break! You can be the first in line to receive it by entering your email directly over at developertea.com.

🧡 Leave a Review

If you're enjoying the show and want to support the content head over to iTunes and leave a review!

Download audio: https://dts.podtrac.com/redirect.mp3/cdn.simplecast.com/media/audio/transcoded/2d4cdf11-7df5-47fc-923f-3ff64405a15a/c44db111-b60d-436e-ab63-38c7c3402406/episodes/audio/group/68e061e9-e578-4db7-a4a3-f3202b4d63ff/group-item/f103e182-f009-4b6a-9cdb-c9cef4156c88/128_default_tc.mp3?aid=rss_feed&feed=dLRotFGk

AGENTS.md is becoming the common language for AI coding tools, but keeping repo
rules, personal rules, and tool-specific files in sync is still messy. In this
episode, Kaushik and Iury break down the sync problem, compare their own setups,
and unpack what the latest AGENTS.md research actually says.

Full shownotes at fragmentedpodcast.com.

Show Notes

The sync problem

• AGENTS.md - Official spec
• Custom instructions with AGENTS.md -
  Open AI
• Keep your AGENTS.md in sync - Kaushik's post
• Rulesync - What Iury uses
• Tweet by Ryan Carson and Claude frustrations

Other links

• Evaluating AGENTS.md: Are Repository-Level Context Files Helpful for Coding Agents?
• Harness engineering - Check the section about using AGENTS.md as a table of contents
• OpenCode

Get in touch

We'd love to hear from you. Email is the
best way to reach us or you can check our contact page for other
ways.

We want to hear all the feedback: what's working, what's not, topics you'd like
to hear more on.

• Contact us
• Newsletter
• Youtube
• Website

Co-hosts:

• Kaushik Gopal
• Iury Souza

[!fyi] We transitioned from Android development to AI starting with
Ep. #300. Listen to that episode for the full story behind
our new direction.

Download audio: https://cdn.simplecast.com/media/audio/transcoded/eea5748e-09ed-4c46-8f6a-b2569dd75851/20f35050-e836-44cd-8f7f-fd13e8cb2e44/episodes/audio/group/46de80ba-ac49-4b84-a6d5-0af69b867306/group-item/c3992cc4-f63a-40f5-b2a2-b07fe63bb44a/128_default_tc.mp3?aid=rss_feed&feed=LpAGSLnY

Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is ⁠⁠⁠⁠⁠⁠⁠Selena Larson⁠⁠⁠⁠⁠⁠⁠, ⁠⁠⁠⁠⁠⁠⁠Proofpoint⁠⁠⁠⁠⁠⁠⁠ intelligence analyst and host of their podcast ⁠⁠⁠⁠⁠⁠⁠DISCARDED⁠⁠⁠⁠⁠⁠⁠. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by her co-hosts ⁠⁠⁠⁠⁠⁠⁠N2K Networks⁠⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠⁠Dave Bittner⁠⁠⁠⁠⁠⁠⁠ and ⁠⁠⁠⁠⁠⁠Keith Mularski⁠⁠⁠⁠⁠⁠, former FBI cybercrime investigator and now Chief Global Ambassador at ⁠⁠⁠⁠⁠⁠Qintel⁠⁠⁠⁠⁠⁠.

Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode, our hosts start with a deep dive into artificial intelligence and its impact on cybersecurity. They explore AI-driven malware, accelerated attack chains like the Fortinet case, and how defenses are adapting—but emphasize that good security hygiene still works. They also debate AI’s effects on creativity and society, highlighting the importance of guardrails and responsible use.

Download audio: https://traffic.megaphone.fm/CYBW4803986750.mp3?updated=1773073264

I wrote code without tests that ran in production without defects, and I wrote buggy code with TDD (Test Driven Development). Time to look back at 35 years of coding and when tests help, and when there is something better. And especially, what these better things are.

Why test?

For me, there are three reasons to test the software I (or we as a team) write manually or automatically:

1. Check expectations – “it works”
2. Prevent regressions – “it keeps working (after changes)”
3. Drive the implementation – “I know what I have and need, but not yet how to achieve this.”

I like (manual) exploratory testing to check my expectations and to find holes in the code that are not working correctly. On the other side, I dislike manually executed test cases to prevent regressions. They are cumbersome and way too expensive to do over and over again.

Automated testing approaches such as unit testing and approval testing are effective for preventing regressions.

TDD is great for driving the implementation of complicated business logic or algorithms.

Property-based testing can help prevent regressions and identify missing pieces in algorithms.

There are also kinds of tests I dislike:

• E2E (end-to-end) tests: They typically need a complicated setup to run, which makes them brittle.
• BDD / Spec-driven: Too much focus on the specification, often leading to rigid systems (but this would be a whole series of blog posts on its own) – I, however, like the involvement of domain experts and developers. But I can do that with TDD as well.

Of course, there are many more kinds of tests. Choose what matches your situation.

Reasons for defects?

To choose the right kinds and number of tests, we need to understand where defects in our software come from. The causes vary by team and tech stack. I try to give an overview here.

Nulls: When your programming language allows nulls, then you have to deal with them. Dealing with nulls in every situation is simply difficult and, therefore, error-prone.

Shared mutable state: We quickly get overwhelmed with the hidden coupling that shared mutable state introduces into our codebase – especially in multi-threading scenarios. This quickly leads to wrong assumptions and, therefore, to defects.

Integration problems (wrong assumptions): A component or library we integrate into our own codebase behaves differently than we expected.

Misunderstanding (not solving the problem): We didn’t fully understand the problem to be solved, and we delivered an incomplete or incorrect solution.

Misbehaving infrastructure: Our software is misbehaving because of a defect in the infrastructure we rely on.

Programming traps: Programming is tricky, and we sometimes get it wrong. For example, never divide first, then multiply (x/100*7); always multiply first, then divide (x*7/100). Otherwise, precision can get you. Or when summing floating point numbers, always sort them first (ascending).

Wrong equality checks: In runtimes like .Net, everything provides an Equals method, but they do not always act as we assume. Comparing by reference instead of deep equality of the fields/properties quickly leads to defects. And there are more equality checks happening than we are typically aware of, for example, when using HashSets, Dictionaries, etc.

Ignored expression results: Most programming languages allow ignoring the result of an expression. For example, you can call a method returning a value, and just ignore it. But sometimes we should react to the returned value to prevent defects. For example, when we ignore the result of an expression that tells us whether things went well or badly. Ignoring the “bad” return value likely leads to a defect.

Implicit casts: Implicit casts can introduce hidden, unsafe type conversions that can silently corrupt data, break type safety, and cause unpredictable runtime errors.

There are obviously more sources of defects than the ones above.

Level of correctness

We also need to be aware of the level of correctness that we want to achieve, given our context.

On the continuum from “it might run” to having a “proof of correctness”, we typically want to be at the “we are confident” spot – in the context of business applications. Surely, not at the “we have 100% test coverage” spot. Proofing for correctness is typically a lot of effort and not worth the quality gain.

In our team, we don’t need perfect software. In many cases, it is sufficient to respond quickly, and the impact on our users and our business is minimal. The greater the impact, or the longer it takes to detect and fix a defect, the higher our quality standard needs to be.

So, our quality standard for core business logic code is much higher than for UIs that add simple data. In a later part of this series, I’ll show how slicing reduces the impact radius significantly.

Test Effort

Having (automated) tests brings a lot of effort with them – even when we write good, concise, and refactoring-friendly tests:

• writing the tests (with good error messages)
• running the tests (during development and as part of the build and release pipeline)
• maintaining the test code (due to design changes)
• changing the tests (due to changing business needs)
• mis-hits (due to flaky or overly-specific tests)

Obviously, tests have their benefits. But we shouldn’t overlook that they also require effort. So, if we could replace them with something cheaper or faster (development and runtime), that would be beneficial.

The hard things to test

Many things are easy to test: throw some input at a method or function and check the return value, and maybe some side-effects (preferably state-based or, less preferably, interaction-based).

However, there are things that are inherently hard to test:

• Combinatorics: e.g. calculations or queries with lots of variations (the result depends on subtle dependencies of many input values)
• Multi-threading
• Boundaries of the system (including UI)
• Things with many dependencies (and they can’t be reduced meaningfully)
• Stateful code

For these scenarios, finding a way to ensure quality without relying on tests would be especially beneficial.

Next time

In this post, I’ve written about why we write tests, reasons for defects, and why it would be nice to have something less expensive to replace some tests.

In later parts, you’ll see several ideas about how to reduce the number of tests needed, thus reducing development effort.

Anthropic announced the release of the Agent Skills functionality on October 16, 2025. This functionality was initially implemented in Claude software, but now it's available on many other agents, including Goose. Agent Skills is based on the concept of skills, a capability that trains an agent or client on tasks tailored to the way users work. Skills are based on folders and files, providing functionality similar to MCP but with a different approach. This article explores how to manage the security threats and access controls associated with adopting the new Agent Skills functionality.

How Agent Skills works

The following is an example of a skill extracted from the Agent Skills documentation. Skills are based on folders and files. Each skill has its own folder containing a SKILL.md file. The following code is the content of the SKILL.md file.

---
name: pdf-processing
description: Extract text and tables from PDF files, fill forms, merge documents.
---
# PDF Processing
## When to use this skill
Use this skill when the user needs to work with PDF files...
## How to extract text
1. Use pdfplumber for text extraction...
## How to fill forms
...

Here, we are defining a skill to extract text and tables from PDF files, fill forms, and merge documents. The body of the skill describes how to execute the procedural knowledge task, among other information.

This is the basic directory structure:

skill-name/
└── SKILL.md          # Required

Source: https://agentskills.io/specification#directory-structure

The basic structure of a SKILL.md file consists of an initial section called the frontmatter. The frontmatter is written in YAML, followed by a body written in Markdown. For the full specification, visit the Agent Skills home page.

When an agent works with Agent Skills, the agent loads the metadata within the frontmatter of all available skills. When the agent receives a request, it uses the metadata and available LLMs to decide which skill to use next. Once decided, the agent loads the body of the skill, which may be the whole description of the task or it may refer to other Markdown files in the skill folder. In this case, the agent will load them intelligently as needed. This means that the body of any skill can be split into different files to reduce the amount of information put in the context each time. It is possible to put all the information in one skill file, but it is recommended to put each task in a specific skill file, optimizing the context. In any case, the primary body is in SKILL.md and should point to the other Markdown files that we want to use in the skill.

The SKILL.md file can also refer to scripts, such as Python, Bash, and JavaScript, present in the skill folder for the skill to execute them when needed. These scripts may also have dependencies. As you can imagine, executing scripts involves some security risks.

The Agent Skills specification defines additional optional directories:

• scripts/ For executable code that may be executed by the skills.
• references/ For additional documentation that skills may use.
• assets/ For static resources such as images, templates, or data files.

Improve security of the skill files

Skills are based on folders and files. If the permissions for these folders and files are not set correctly to ensure only authorized users can modify them, malicious actors who already have direct or indirect access to the filesystem could exploit this. This risk is not that high because it’s not trivial that a malicious actor already has access to the filesystem, but we should take this risk into account specially when implementing security by design and by default and defense in depth. If the permissions are not correctly set and malicious actors have this opportunity, they could modify skill files to introduce unauthorized instructions, add malicious scripts that can be executed with the agent's permissions, often the same permissions as the user, or alter existing scripts to include malicious code.

The permissions on the skills folders and files should be restricted as much as possible by default. If the skills are stored in another system, for example, a skills registry, the permissions in the registry should also be restricted as much as possible by default. It is recommended that any access or modification to the skill files is logged. The logs generated should be protected to avoid unauthorized modification.

Malicious skills

Skills may contain executable scripts in different languages, such as Python or Bash. This provides a lot of power to skills, but it also involves security risks. These scripts may contain malware. If the sources can’t be trusted, check the skills’ source code. The more important the tasks, the more thorough the review should be. Depending on your risk appetite, rather than doing a code review, a way to reduce the risk of Agent Skills having malware is to execute malware scans on them, for example, with tools as malcontent.

Another way of improving the security of your supply chain with relation to Agent Skills is to require them to be signed and validate their signature before use. There is no widely known initiative to sign Agent Skills, but this is something that users and customers should require if they consider it a relevant security control.

Note that although skills are initially safe, if an automatic mechanism to upgrade them exists, an upgrade can include malicious code or vulnerabilities, especially if they come from untrusted sources. In any case, depending on your risk appetite, reviewing the code of any new version of a skill that you plan to use is recommended.

Security vulnerabilities

Skills that contain scripts may have their own security vulnerabilities. Therefore, all security controls from secure development best practices apply here, including code reviews, SAST, DAST, and fuzzing.

Providing companies must also implement vulnerability management processes to identify and resolve security issues at regular intervals, in accordance with their SLAs.

Agents could also contain security vulnerabilities Since the SKILL.md file starts with a YAML section, it is possible that the YAML parser of an agent contains a vulnerability and a malformed malicious YAML in a skills file can exploit it to execute commands in the system or leak information.

Another way to reduce the risk of a vulnerability being exploited in skill scripts is to execute them in isolated environments such as containers or sandboxed environments. Examples of technologies that can be used are seccomp, AppArmor, or Firecracker VMs. Egress communication from these isolated environments to the Internet should also be restricted.

Prompt injection

Part of Agent Skills data flow consists of the agent obtaining information from a source, for example, a document or a webpage, and using that information to compose a prompt to be sent to an LLM to decide the next action or to compose the final output. Since part of the analyzed document is injected in the prompt sent to the LLM, there is a risk of prompt injection. This security issue occurs when input intended as data is interpreted as an instruction by the LLM instead. Agentic systems remain vulnerable to this issue because there is no industry-standard fix. While SQL injection can be mitigated through prepared statements, no similar control currently exists to reliably separate data from instructions in LLM prompts.

Although there are no definitive solutions to eliminate the risk of prompt injection, there are controls that can be applied to reduce the probability and impact of it.

Guardrails is a common security control that is gaining traction in AI systems, especially agentic AI systems that use Skills or other agentic protocols like MCP or A2A. Guardrails are systems that monitor the input and output of an agent or LLM to distinguish between benign and malicious content. If content is benign, the guardrails system lets them pass to the next system. If not, it can perform actions such as modifying the payload, blocking, logging, and throttling content. Since guardrails rely on the ability to distinguish between benign and malicious intent, a classic, and often unsolvable, problem in security, it is not a definitive solution. For that, we need patterns, such as regexes, or use other specialized LLMs. In any case, guardrails are a sound control to reduce the risk of prompt injection. For example, TrustyAI is an open source project developed by Red Hat that includes guardrail capabilities. 

Another key security control is to limit the permissions that an agent has. At a maximum, an agent should only possess the permissions of the user executing it, never more. Ideally, agents should operate with a restricted subset of those permissions, dynamically derived from the specific task or intent. Dynamic authorization for AI agents remains a compelling area for further exploration. In addition to permission limiting, agents should be executed within isolated environments, such as containers or virtual machines, to provide a robust security boundary.

One more control is using the experimental `allowed-tools` field defined by the Agent Skills specification. The specification states that, as it is experimental, it might not be supported by all agents yet. In any case, it is worth pushing for it. This is a mechanism to limit the tools that will be available to the agent, thus, reducing the risk of a malicious prompt injection or an unintended behavior. `allowed-tools` doesn't reduce the probability of prompt injection, but it reduces the impact.

Many of these security controls discussed not only reduce threats by malicious actors, but also reduce risks related to unintended behaviors of agentic systems due to the inherent probabilistic and non-deterministic nature of current LLMs.

Credentials management

While the Agent Skills specification does not prescribe a specific method for credential management, secure handling remains a critical security component. Since agents must interact with external systems to perform actions, they require a robust authentication framework. In scenarios where manual user intervention is not feasible, it is essential to implement standardized solutions like OAuth 2.0 to manage these permissions securely.

Under no circumstances should credentials be stored in plain text or embedded directly within the skills themselves. To mitigate the risk of accidental exposure, users should be educated on secure storage practices and utilize automated secret-scanning tools, such as Trufflehog, to detect hardcoded credentials before deployment.

Final thoughts

Agent Skills introduces a flexible and modular way to extend the functionality of intelligent agents through skill-based orchestration of tasks. This extensibility empowers organizations to build specialized and adaptable AI ecosystems, and expands the attack surface in familiar and novel ways. As shown, risks span from modifying skill at the filesystem level and malicious or vulnerable scripts to prompt injection and credential exposure, demanding a comprehensive and proactive security posture.

Mitigating these risks requires combining traditional secure development practices, such as strict permissions, code reviews, and scanning, with AI-specific controls like guardrails, sandboxing, and controlled permissions. The introduction of constructs such as allowed-tools and signed skill registries marks an important step toward safer deployment, though these mechanisms remain in an early stage of maturity. Organizations adopting Agent Skills should therefore balance innovation with discipline, embedding continuous monitoring, validation, and threat modeling into their workflows.

Ultimately, the security of Agent Skills will depend not only on technical controls but also on the governance and culture surrounding their use. Collaboration between AI developers, security teams, and the open source community will be crucial to evolving standards that can keep pace with this rapidly advancing capability. As Agent Skills continue to mature, their secure adoption will shape the trust, reliability, and resilience of agentic systems using them.

Be sure to check out TrustyAI on GitHub, a default component of Open Data Hub and Red Hat Openshift AI.

The post Agent Skills: Explore security threats and controls appeared first on Red Hat Developer.